Dashboards & Visualizations

How to show output result overtime (TimeChart)?

SecDesh
Path Finder

Good Morning,

I am attempting to use a TimeChart that will show me the ratio of my GET/POST HTTP requests within the span of 1 hour. However, the output in my TimeChart only displays the latest result, regardless of what time (I.E if the current ratio output is .75 as of 9:00pm, it will display as .75 for 8:00pm, even though it was .50 at 8:00pm). Here is current search query:

index=nsm source="/nsm/zeek/logs/current/*http*"
| eventstats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)
| timechart span=1h values(Ratio)


I've attempted many different things, including Time Modifiers, but so far no luck. This is the closest to get it to where I want, but it will not accurately display the Ratio of the previous time. Is here anyway around this?

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

You're calculating ratio before the hourly aggregation can take place hence the wrong result. Try something like this:

index=nsm source="/nsm/zeek/logs/current/*http*"
| timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)
| table _time Ratio

View solution in original post

somesoni2
Revered Legend

You're calculating ratio before the hourly aggregation can take place hence the wrong result. Try something like this:

index=nsm source="/nsm/zeek/logs/current/*http*"
| timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)
| table _time Ratio

SecDesh
Path Finder

Exactly what I was looking for. As I was troubleshooting it initially, I tried doing a query like this:

index=nsm source="/nsm/zeek/logs/current/*http*"
| timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST
| eval Ratio=round(GET/POST, 2)


But it didn't dawn on me to use the table format. Leaving it as it was, only displayed the counts for the GET. Thank you for the explanation and the solution.

Edit: In the event you have an additional solution to this, I inserted the code that worked in the Search Query into a panel of a Dashboard. I am trying to display my Ratio and its trend with the 'Single Value' visualization however the results always return the value '1' with no overall time/trend showing. Even though using other visualizations  such as line, bar, and stat graphs present the accurate information.

If I remove the ... | table _time, Ratio, it'll display only the GET count but it would be accurate in the Single Value visualization and display the overall time. Do you know a fix for this by chance?

Edit 2.0: Found the fix for this. I had to go into 'Format Visualization'  -> 'Number Format' and set the 'Precision' to '0.00'. Again, thanks for your help.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=nsm source="/nsm/zeek/logs/current/*http*"
| bin _time span=1h
| stats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST by _time
| eval Ratio=round(GET/POST, 2)
0 Karma

SecDesh
Path Finder

Your solution was close however the results presented seem to be the output of the division of GET/POST but not the ratio of GET/POST.

In other words, instead of displaying the ratio of GET/POST as .50, it displayed it as 1,381.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...